JSON parsing error in SnykAnalysisTask

[rsholokh]

Current Behavior

The log is full of errors related to incorrect JSON in SnykAnalysisTask

2023-05-17 17:54:22,942 [] ERROR [org.dependencytrack.tasks.scanners.SnykAnalysisTask] Request failure
org.json.JSONException: A JSONObject text must begin with '{' at 1 [character 2 line 1]
    at org.json.JSONTokener.syntaxError(JSONTokener.java:501)
    at org.json.JSONObject.<init>(JSONObject.java:208)
    at org.json.JSONObject.<init>(JSONObject.java:404)
    at org.dependencytrack.tasks.scanners.SnykAnalysisTask.analyzeComponent(SnykAnalysisTask.java:323)
    at org.dependencytrack.tasks.scanners.SnykAnalysisTask.lambda$analyze$5(SnykAnalysisTask.java:242)
    at java.base/java.util.concurrent.CompletableFuture$AsyncRun.run(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at java.base/java.lang.Thread.run(Unknown Source)

Presumably this is the reason why Snyk doesn't work for me, because out of hundreds of detected vulnerabilities, there is not a single one from Snyk

Steps to Reproduce

1. Perhaps initiate a vulnerability scan of something

Expected Behavior

Proper JSON parsing in SnykAnalysisTask

Dependency-Track Version

4.8.1

Dependency-Track Distribution

Container Image

Database Server

H2

Database Server Version

No response

Browser

N/A

Checklist

• [X] I have read and understand the contributing guidelines
• [X] I have checked the existing issues for whether this defect was already reported

[nscuro]

~It's odd that you're seemingly getting a non-JSON response despite the HTTP status code indicating success~. Based on the provided stacktrace you are getting an error response from Snyk that does not provide a JSON body (which based on their API contract it should). Are there any proxies involved in your setup that could cause this?

Separately, I reckon there are multiple different products and plans offered by Snyk, and not all of them grant access to their REST API. Are you able to use your token with the "Issues" API here? https://apidocs.snyk.io

[rsholokh]

I get a 403 Forbidden response without any JSON in it - probably that's why the parsing error occurs. By the way, it would be very useful to add to Detendency-Track's Analyzers settings the ability to check the proper working of any analyzer with user credentials/secrets by pressing one button. Now I can only guess whether any particular analyzer really works or not.

[msymons]

In the API documentation:

• 401: Unauthorized: the request requires an authentication token.
• 403: Forbidden: the request requires an authentication token with more or different permissions.

ie, Snyk did not respond with a 401 so it understood/accepted your token. It responded with a 403, meaning that you might be on the wrong plan (per @nscuro).

Per plans, the "Team" Plan does not include access to the API, but the "Enterprise" plan does.

You suggest:

check the proper working of any analyzer with user credentials/secrets by pressing one button

Specifically for Snyk, I logged this as #2395 and have just updated that issue.

[jasonhills-drata]

Could be a permissions issue. I saw the same error when using a Snyk service account with the Org Collaborator role. The errors were resolved after changing to the Org Admin role. I am on an Enterprise account.